6

I have a web site that requires user to log in by providing their email and password to gain access token, where the access token token is used to access api.

User can then gain access to read/write with the scope provided by the access token.

So, what I would like to understand here is that what roles does client id and client secret play in such a case, and what benefits can implement client id and client secret provide? Because i really do not see the need of implementing client id and client secret since user may just use access token to gain access right.

vincentsty
  • 2,963
  • 7
  • 34
  • 51

2 Answers2

5

You don't have to issue client IDs if you can achieve what you want to do without them. For example, if you have privileges to handle email (user ID) and password directly, you don't need a client ID.

In general, client IDs are needed only when you want to allow (third-party) client applications to access (your service's) users' data with restricted privileges. In this case, each client application must be given authorization by a user. As a result, your system will need client IDs to know which client application the user has granted permissions to.

Takahiko Kawasaki
  • 18,118
  • 9
  • 62
  • 105
1

BY using client id/ secret you can potentially control which clients are allowed to connect to your API and make decisions such as rate limit them or block them. This is the way that e.g. Twitter can ensure that no other twitter client is allowed to have over 100,000 users.

mbwasi
  • 3,612
  • 3
  • 30
  • 36
  • Why can't it be done through user id instead? btw what is the difference btw client id in oauth and user id? – vincentsty Dec 16 '15 at 13:45
  • 2
    @vincentsty userid will identify the user and clientid will identify the client (App) that is accessing an API. Lets say I have 3 different twitter Apps on my phone all 3 will have their own clientid but my userid can be the same (potentially) that way Twitter API can know which App I am using to access their service and can block all requests coming from App 1 while allowing App 2 and 3 to continue working. – mbwasi Jan 20 '16 at 13:30